-----------------------------------------------------------------------------
TJ Saunders
2001-08-30
-------------------------------------------------------------------------
Problem
------------------------------------------------------------------------
In attempting to use OpenSSL BIOs for a custom application, I encountered
the situation where I wanted a BIO chain that would compress and encrypt
data written to a sink, and decompress and decrypt that data when read
back.
I searched the OpenSSL mailing archives, and read the following two
archived messages that touched on this same topic:
http://www.mail-archive.com/openssl-users@openssl.org/msg12948.html
http://www.mail-archive.com/openssl-users@openssl.org/msg09399.html
While these messages contained useful hints, they weren't enough to address
my needs. The BIO described in the second message, using zlib's gzread() and
gzwrite() functions, would create a BIO that could only be used as the
last BIO in a chain, above a file BIO source/sink.
Unfortunately, this is not the ideal place for compressing data in
conjunction with encryption. As noted in "Applied Cryptography", 2nd ed,
Schneier, pp.226:
"The important thing to remember is to compress before encryption. If
the encryption algorithm is any good, the ciphertext will not be
compressible; it will look like random data."
The compression BIO described in the archived messages would do compression
_after_ encryption.
For my needs, I was looking for a compression filter BIO.
----------------------------------------------------------------------------
Solution
----------------------------------------------------------------------------
Write my own compression filter BIO, using lower-level zlib functions than
gzread(), gzwrite(). This requires that zlib be installed on your system
(included by default in many cases). If not present, zlib can be obtained
from:
http://www.gzip.org/zlib/
----------------------------------------------------------------------------
Comments
----------------------------------------------------------------------------
I'm not sure if this BIO is thread-safe (it should be, as long as zlib
itself is thread-safe).
A configure-time option or detection of zlib.h should probably be included,
if this code is accepted into the official OpenSSL distribution.
The patch for crypto/bio.h is not yet tested, but should work -- it adds
to crypto/bio.h the information in the included bio_zlib.h file.
---------------------------------------------------------------------------
Affected Files
---------------------------------------------------------------------------
crypto/bio.h -- add BIO_ZLIB information
------------------------------------------------------------------------------